agsandrew - Fotolia
Heartbleed bug still found to affect 200,000 services on the web
Researchers found the infamous Heartbleed bug is still unpatched on as many as 200,000 services connected to the internet and experts don't expect that number to change.
Nearly 200,000 services still vulnerable to the Heartbleed bug have been found connected to the internet, but one expert says that may not be a big deal.
Researchers from Shodan found nearly 200,000 services around the world still connected to the web but not patched against Heartbleed. The plurality of those services are in the US (about 42,000) and most of the vulnerable services are running on the Linux 3.x kernel, according to Shodan's latest Heartbleed Report, post linked to by Shodan founder John Matherly.
Nearly 3 years later and we're still looking at ~200,000 services vulnerable to Heartbleed: https://t.co/KU04PtWTJU pic.twitter.com/6mZhCUCVu6
— John Matherly (@achillean) January 22, 2017
The Heartbleed bug was originally discovered and patched in early 2014, but the OpenSSL flaw gained notoriety because of how widespread it was, how easily exploited and how difficult to patch in many cases -- and because it was one of the first branded vulnerabilities. Now it has become commonplace to compare any new SSL flaw to Heartbleed.
Graham Cluley, independent computer security expert, said system admins have had plenty of time to apply OpenSSL patches and remediate the Heartbleed bug, so he doesn't expect the situation to get better.
"In a year's time, we won't see any significant reduction in the number of Heartbleed vulnerable websites and services connected to the internet," Cluley wrote in a blog post. "This is as good as it's going to get. The people who cared about fixing their systems against the Heartbleed vulnerability did it long ago. The others simply don't give a damn."
Martijn Grooten, security researcher for Virus Bulletin, said the risks presented by the remaining vulnerable services may not be so bad.
Heartbleed is really bad, but exploits of it don't scale well, so 200k vulnerable services is mostly background noise https://t.co/JLFGo717Vl
— Martijn Grooten (@martijn_grooten) January 23, 2017